SANS cyber security awareness training for eager utility employees ... and their regulators

I recently stumbled upon some excellent online training materials from the well respected SANS Institute that could be quite useful to you and your organization.

In a series of online modules, many of them tailored to the particular needs of utilities, SANS "Securing the Human" courseware seems to be an easily digestible, self-paced way to get important cyber security awareness messages across to a large number of users.

Note: NERC CIP content here is constructed around version 3, so with newer versions now approved by NERC and FERC, SANS will want to update certain modules accordingly. But 99% of the material is right on the mark, and would be appropriate for electric sector personnel outside the US as well.

Wherever you fit in the ecosystem, whether you're an executive or a rank and file worker bee, whether you're in a utility, a regulatory agency, a vendor, or just a user of digital technology who wants to stay safe, recommend you check it out.

---------------

SANS URL:

http://www.securingthehuman.org/utility/index

House of Reps Report Reams Utilities on Cybersecurity

Was trying to capture spirit of Jesse Berst's headline on the same subject:

Utilities to FERC: Take your security measures and shove it

That's not very nice, is it?  I think they toned it down with a later change, but this headline was what was in my inbox in this morning's SmartGridNews.com newsletter. The subject is a recent report published by the House of Representatives that's highly critical of electric utilities behavior to date re: grid cybersecurity.

Moving on! The Wall Street Journal's Rachel King did a fine write-up of recent testimony from the CEO of the American Gas Association (AGA), Dave McCurdy. King began by noting that:

The oil and gas sector faces many of the same cyber security challenges as the electric industry. Yet, there’s one major difference between the industries, both of which need to secure software-based industrial control systems from intruders. There are no regulations governing cyber security among the oil and gas companies.

The Best Talk Ever on NERC CIPs and Grid Security ... Period

I've read some good stuff over the years, though never at work. In the classics department my favorites are The Heart of Darkness, Moby Dick and The Invisible Man. For somewhat shorter, if not lighter fare, I like Haruki Murakami and the Raymonds: Chandler and Carver.

But the line between pleasure reading and work reading has been big, bright and until recently, very, very bold. That is, until I found Stephen Flanagan's mature (by his own reckoning) perspective on the Critical Infrastructure Protection standards (CIPs), the culture of utilities, and the difference between compliance and commitment:

I have a problem with this term “compliance.”  In fact I think it’s bad terminology for the CIP program and gets us into the entire wrong mindset from the get-go. And why do I think this? Well although the term “compliance” has a more or less precise legal definition, its use among the uninitiated does not have the same connotations.  I fear that when many hear the term they look more to Webster than Black as the dictionary of choice.  And in Webster one is likely to find the word defined as: Compliance: –noun, 1. the act of conforming, acquiescing, or yielding. 2. a tendency to yield readily to others, especially in a weak and subservient way.

He asks "How does that grab you?" and continues:

... in my opinion, for reliability, and I stick CIP into the reliability program as a whole in this discussion, I think the better term would be “commitment” rather than “compliance.” Why “commitment” you may ask. Well again Mr. Webster provides some helpful insights: Commitment: –noun, 1. the act of committing, pledging, or engaging oneself. 2. a pledge or promise; obligation. 3. engagement; involvement. 

Flanagan concludes with "Now doesn’t that sound a whole lot better?" Yes, it sure does.

I've never heard the compliance vs. security conundrum more eloquently and simply put. Compliance mentality is an organizational, cultural disease that undermines real proactive security attitude and action. I'll take engagement and involvement every time.

There's a whole lot more to savor and appreciate in this learned, witty, irreverent article. You may find the occasional typo, and maybe the title's a bit alarmist, but that's likely because this isn't actually a work of great literature. However, in my experience, and in our space, Stephen Flanagan's keynote address is one for the ages ... a grid and Smart Grid security masterpiece.

You can read the whole thing HERE.

FERC's Director of Reliability Speaks Out on Grid Gaps

While you were relaxing and celebrating Cinco de Mayo with cervezas y margaritas and such, FERC's Joe McClelland was on the job (as always), testifying before a Senate committee on what he sees as the current gaps in coverage in grid protections and what should be done about them.

For starters, he laid it out quite simply:

The Commission (FERC) currently does not have sufficient authority to require effective protection of the grid against cyber or physical attacks. If adequate protection is to be provided, legislation is needed and my testimony discusses the key elements that should be included in legislation in this area.

Then proceeded with something you should know about if you didn't it already ... about US cities and 2 entire states:

Currently, the Commission’s jurisdiction and reliability authority is limited to the “bulk power system,” as defined in the Federal Power Act (FPA), and therefore excludes Alaska and Hawaii, including any federal installations located therein.  The current interpretation of “bulk power system” also excludes some transmission and all local distribution facilities, including virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber or other national security threats to reliability that involve such facilities and major population areas.

And beyond the geographic dead-zones he called out above, and the fact that the CIPs miss the majority of the grid by entirely missing the distribution network, there's also the temporal issue ... the current process is slow ... way too slow depending on the nature of the threats to be countered:

The procedures used by NERC ... can be an impediment when measures or actions need to be taken to address threats to national security quickly, effectively and in a manner that protects against the disclosure of security-sensitive information. The current procedures ... do not provide an effective and timely means of addressing urgent cyber or other national security risks to the bulk power system, particularly in emergency situations. Certain circumstances, such as those involving national security, may require immediate action, while the reliability standard procedures take too long to implement efficient and timely corrective steps.

I could go on citing McClelland's sharp observations and recommendations, but maybe it's better for you to get the rest in the complete context. There's a lot more to take in so click HERE for the full transcript. If you're like me, you've got to be glad Joe is on the job.

Photo credit: yngrich on Flickr.com

FERC and NERC: Who Blinks First on Bright-Lines?

This post continues a series where we try to get a fix on where the next versions of the CIPs are going, and exactly when they're coming (see previous posts on this topic from March and April of this year).

You know, if there was some sex or violence, or even a little Ian flemming-esque international intrigue involved, the quest for the next version of the NERC CIPS might merit its own slot on prime time. As it is, however, it can best be called a regulatory reality show.

As this new open letter (registration required) from security consultancy Matrikon reveals, the producer, FERC, seems to be tiring of its wayward plot and may begin inserting a script more to its own liking.

While a full accounting of recent events gets quickly quite complicated, much of the kerfuffle centers on the so-called "bright line criteria" (aka, the rules) used to determine which additional electrical generation and transmission assets will get CIP scrutiny when the long awaited version 4 finally arrives.

I'm over simplifying things, of course, but in a nutshell, FERC wants more bulk power assets monitored, while utilities want fewer. And poor NERC is caught in between, taking too long, and is hamstrung by the rules its actions.

The open letter paints a pretty good picture of this dynamic, and while never claiming certain knowledge of how things will ultimately play out, I think this paragraph imparts the tension of the present impass:

Earlier in the NERC/FERC relationship, FERC would have simply disapproved Version 4 and sent it back to NERC to rewrite, submit for new comments and ballot(s), redo the survey with whatever changes came out of the balloting and then make a new filing to FERC. This would probably take close to a year. Our guess is this will not happen. FERC has been losing patience with the NERC standards process for a while, and they (and members of Congress) have repeatedly stated that the security of the BES is at risk given the current coverage of critical assets in NERC CIP.

Seems like the ball is in FERC's court. All we can do is stay tuned. And of course, if I've misrepresented the current situation in some way, please let me know so I can help get the right knowledge out there.

Conference Alert: FERC Technical Conference - Taking a Measured Breath Before Resuming Smart Grid Standards March

As a standards development project, NIST and crew have moved with breathtaking speed. The time has come for the community to weigh in, and for FERC to see if "sufficient consensus" exists to begin to formalize these standards. Here are some of the details for you:

Title: Technical Conference on Smart Grid Interoperability Standards

To refresh: the five "foundational" standards and their functions are:

• IEC 61970 and IEC 61968: Providing a Common Information Model (CIM) necessary for exchanges of data between devices and networks, primarily in the transmission (IEC 61970) and distribution (IEC 61968) domains
• IEC 61850: Facilitating substation automation and communication as well as interoperability through a common data format
• IEC 60870-6: Facilitating exchanges of information between control centers
• IEC 62351: Addressing the cyber security of the communication protocols defined by the preceding IEC standards

Click HERE for the original NIST press release on "the five."

Conference Description: The purpose of the technical conference is to obtain further information to aid the Commission’s determination of whether there is “sufficient consensus” that the five families of standards posted by the National Institute of Standards and Technology and included in this proceeding are ready for Commission consideration in a rule making proceeding, as directed by section 1305(d) of the Energy Independence and Security Act of 2007.

Day/Time: Jan 31, 1-5 pm ET

Additional details, including live link: HERE. You're also free to attend in person in DC.

Looking Back and Looking Forward on Smart Grid Cyber Security at GridWise 2010

As Mark Twain (or Hemingway, Cicero, Voltaire, Blaise Pascal or George Bernard Shaw) once said "If I had more time, I would have made it shorter." That's true of the 25-min audio that accompanies  - feel free to fast forward. But believe you'll find the content here interesting, and depending on your line of work vis a vis the Smart Grid, maybe even helpful.

GridWise 2010 Cyber Security Update

View more webinars from Andy Bochman.

There were several good questions and comments during the Q&A session that followed, but the one I appreciated most was that this wasn't the typical doom and gloom message that typifies many energy sector security presentations.  I count that as good news as that is a design objective. As we've said before, no good work gets done by people in the fetal position. And we've got plenty of work to do.

For more from GridWise here's a LINK to the organization's cyber security resources page. These are great people moving mountains as they advocate for Smart Grid progress. Highly recommend you give them your support and/or get involved if you haven't already.

FERC and NERC Down the 2010 Cyber Security Standards Home Stretch

Been saying it all year: tension is building between those who want to tighten up security standards faster and those who was to take a gentler, but more predictable path. FERC and NERC have been the primary protagonists in this struggle, as described a few months ago HERE.

For those who are paying attention, a few items that have surfaced as the year winds down, and here's a short summary for you:

First we have the so-called "bright line" ruling in which FERC says we (especially NERC) need a new and crisper definition of the bulk electric system (BES). Here's an excerpt in their own words:

Today's final rule directs NERC to revise its definition of the term “bulk electric system” to ensure that the definition encompasses all facilities necessary for operating an interconnected electric transmission network .... FERC said the ultimate goal ... is to eliminate inconsistencies across regions, eliminate the ambiguity created by the current characterization of the 100 kilovolt (kV) threshold as a general guideline, provide a backstop review to ensure that any variations do not compromise reliability, and ensure that facilities that could significantly affect reliability are subject to mandatory rules. 

So the ball's in NERC's court on that one. A few days after that press was released, FERC Commssioner Jon Wellinghof spoke out on security and the Smart Grid for Forbes.com. Seems like he really wishes things could go a lot further and a lot faster than they have so far, and that Congress hasn't come through yet:

... there have been a number of legislative proposals put forward, none of which have been passed….

Without mentioning it by name, he also plugs the GRID Act which is still stuck half-way through Congress:

We do believe that there’s some additional authority necessary with respect to cyber-security, especially with respect to an imminent threat or vulnerability. We think FERC needs the authority to issue an order to the utilities to take a specific action. Right now we don’t have that authority. It all has to go through the National Electric Reliability Corporation…. It’s kind of a cumbersome process now, that takes a lot longer than you would want if you knew of some immediate threat or vulnerability….

Which brings us to some analysis of what's on deck for 2011 in the NERC CIP world. From NERC CIP compliance experts Abidance Consulting, here's their well informed take on which way this will likely play out in version 4 of the CIPs:

The NERC CIP Standards are being reviewed and updated by various NERC committees to include the Standards & Development Team .... The new version(s) will categorize Critical Assets and Critical Cyber Assets based on impact assessment as “High”, "Medium" and "Low". The new methodology will not use the current Critical Assets and Critical Cyber Assets. [Rather], CIP standards will be customized to each category based on their impact on the BES ....

That's a heck of a lot of change. Too much for some, though others would call it long overdue. And here's a big (and good) one:

The new version of CIP will expose several assets to CIP compliance requirements unlike today as the serial connection will no longer be able to provide immunity from compliance.

This change, if and when it takes effect, will reverse a trend that some analysts have used to argue that the CIPs actually weaken grid security.

We could go on, but this is a blog and our job is to keep these posts short and tasty. Kind of like tappas. Speaking of which, there's plenty of action on the menu for 2011 for utility security pro's and everyone in the community who wants to see them succeed. Looking forward to it!

Photo credit: Erik Fitzpatrick on Flickr.com

The Pulse Quickens as the Plot Thickens: FERC/NERC continue to Skirmish re: Grid Security Standards

Industry sonar and radar detect nothing but collision ahead as these orgs plow ahead on their respective vectors: FERC wants more security faster for utilities; NERC wants to hold steady with slow, incremental changes. There's some method to each approach, though they're clearly not compatible. I summarized thusly in this week's HuffPo article:

The case for going faster rests on a couple of basic facts and observations. Here are just a few:

• Attacks on energy systems are increasing in tempo and sophistication (for those who haven't heard of it yet, the recently emerging Stuxnet virus has provided a real wake up call for industry in terms of attackers' advanced capabilities
• Other industries/sectors have much more substantial security controls and governance already in place and have only benefitted from them
• Emphasizing security early in the Smart Grid window will yield benefits including cost savings and much better efficacy
• Oh yeah, and one more little thing: and our entire economy and the well being of our nation depend on secure and reliable power infrastructure

Nevertheless, there's a strong case for going slower:

• Cultural challenges inside utility co's will hinder attempts to make them change too much too quickly
• Regulatory impediments need to be resolved before the whole system can be secured. For example, the fact that the Feds only have jurisdiction over generation and high-voltage transmission assets, while policy for low-voltage distribution is left to the states, and there's little/no standardization of state policy at present) Security standards are still taking shape. NERC's CIP standards are still in their infancy, and NIST just released the 1.0 version of its "Smart Grid Cyber Security Strategy and Requirements"
• Lastly, it costs money to significantly ratchet up the security posture of any complex system, not to mention the one that's been called the greatest engineering achievement of the 20th Century

People are pretty fired up by this (and IMHO: they should be). Be sure to check out the comments at the bottom of the article if you get a chance.

Photo credit: Rosmary on Flickr.com

New Webcast on Security Standards

Here's the latest ...

SGSB Webcast 4: Smart Grid Security Standards in Mid 2010

View more webinars from Andy Bochman.

Day One Recap from the 1st Smart Grid Cyber Security Summit

I'm afraid it's a little too late to go for complete coherence, so here are some bleary eyed bullets summarizing a few (but not nearly all) of the first days' highlights:

• Scott Borg of the US Cyber Consequences Unit showed how the US economy can easily weather ~3.5 day outages, but that when you get beyond that duration across a broad region, you get into large and very large effects, as in "massive ... breathtakingly bad." So small, short duration security incidents we can handle and don't need to worry about too much. But we should move (and spend) heaven and earth to ensure we don't experience even one of the very big ones
• Bob Gohn of Pike Research gave us the latest Smart Grid security findings and trends, and announced the release of Pike's latest report on Smart Meter Security
• FERC Commissioner Philip Moeller, whose NERC CIP experience goes back to some of the earliest draft language from the year 2000, acknowledged the challenges NERC faces fielding a uniformly solid field of CIPS auditors, and told us to keep our eyes open for a possible collaborative effort involving FERC and state regulators
• I could do an entire post on Joe Weiss' presentation, but for now let it suffice to say that the Stuxnet virus is much more problematic than initial reports (including one made on this blog) indicated. Here's a decent Stuxnet update from Symantec. Among other things, note the lengths this malware goes to to protect itself from detection
• Joe also made it clear that Smart Grid or no Smart Grid, SCADA/ICS systems are a disaster waiting to happen and that there's not a heck of a lot we can do about it. He supported this point by saying: 1) we have basically zero forensics capabilities to investigate SCADA/ICS attacks; 2) OT hates IT in all sectors, not just energy, and that this culture war gets in the way of migrating good security practices to the SCADA/ICS world; 3) there's nothing at all comprehensive about NERC CIPS; 4) there are 5 or fewer utilities going beyond the security controls required by the CIPS; 5) to work, SCADA/ICS security must be a living program, as every time you change or add something, you impact security; 6) NERC CIPS have made the grid less reliable by enticing some utilities into removing IP connections from some important devices, which makes them exempt from NERC CIP while leaving them dependent on serial connections, which are themselves quite susceptible to attack
• After Joe left the NERC CIPS in smouldering ruins, Rob Shein, HP Cyber Security Architect, coaxed them back to life with a balanced review of what they do and do not cover, and provided reasonable steps orgs can follow to achieve compliance
• Lastly, I moderated a roundtable session on "The Perspective and Path Forward for Energy Utilities" with 3 outstanding panelists: Mike Echols of the Salt River Project, Bobby Brown of Enernex, and Chris Peters from Entergy. They hit a bunch of topics that even late in the day held the audience's attention and responded to lots of questions after they reached the end of my prepared list. But for me, the most memorable of all was also the simplest. Each was asked: would your org be more or less secure in a world without the CIPS? To which the unanimous response was less. So despite all the abuse heaped upon the CIPS during the day (and IMHO, they richly deserve it), the folks fighting this security battle in the trenches say they help far more than they hurt. For me, that fully topped off an already great day, and I'm really looking forward to whatever lessons we can tease out of day 2 of the 1st Smart Grid Cyber Security Summit.

San Jose Photo credit: the_tahoe_guy at Flickr.com

Danahy on Smart Grid Security in Government Computer News

As power controls take on characteristics more akin to cyber systems, the numbers and types of threats go through the roof. This article in GCN makes the case that FERC's current Critical Infrastructure Protection (CIP) standards and audit practices may be ill-suited to ensure protection of an increasingly Internet-like power grid.

Here's Jack's 2 cents in context:

But some security experts say the standards do not go far enough. The technology of the electric grid was designed with the expectation that it would be a private network rather than an interconnected IP-addressable system, and the security standards focus largely on reliability rather than network integrity.

“I don’t think in today’s world that is even close to being adequate security,” said Jack Danahy, chief technology officer of Ounce Labs. “There has to be a more expansive understanding of what security means.”

The cyber security of the power system is taking on more urgency with development of a new interactive smart grid and recent reports that hackers have compromised the current grid.